Results 1 to 10 of 10

Thread: Cellphones

  1. #1
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400

    Cellphones

    With the amazing advent of the cell phone in the past decade,I thought it'd be interesting to have some information on how they actually communicate,some different cellular technologies and a few vulnerabilities in cell phone systems.NOTE:This tutorial is not a comprehensive guide on the subject by any means,and due to reasons of brevity,I've condensed the subject matter,search google if you want more


    Introduction:
    The revolutionary concept which made cell phones so popular was their size.Now,in every electronic circuit,the size of the components depends on the power supply,more the power, larger the component size and vice versa.The other problem cell phones faced during their early use ofcourse,was that there simply wasnt enough bandwidth to go round for a large number of users.Enter frequency reuse: Every city is divided into a number of 'cells' or 'grids' by a cellular network.Each cell comprises of a service area which is attended to by a tower.Now,by making cell phones transmit at a very low operating power,the frequencies transmitted would 'die' out within a cell making it possible for the same frequency to be reused in another cell.All towers are linked to a central MTSO(Mobile Telephone Switching Office) that actually makes your calls for you.


    How calls're actually made:
    Before we get into this,there's the not so little matter of authentication required so that your provider actually knows you're a legit user.When someone turns on their phone,it listens for a SID(System Identification Code) on a control channel.(The bandwidth alloted to a provider is generally divided into two parts:Control channels and Voice channels.Control channels are frequencies that are used to authenticate a phone as well as to change channels or other call setup details.Voice channels are a frequency pair assigned to you temporarily if you decide to make a call).The phone then matches the SID sent to it with the SID already programmed into the phone(in the SIM card).It then transmits a registration request so that the home system(provider) knows which cell you're currently in.If no control channels are presently available,the phone gets a 'network unavailable' or 'no service' message.If you decide to make a call,the MTSO assigns you a random frequency pair and makes the call for you.If you get a call,the MTSO routes it to your particular cell tower and hence,you get the call.The tower you're in also monitors the signal strength on your phone.If you move closer to the end of your cell,the signal strength diminishes and the tower in your adjacent cell that you're moving closer to gets an increase in your signal strength.The MTSO decides at some point to tell your phone to switch frequencies from your original cell to the other one.This is the concept of 'Roaming'.Ofcourse,like your browser establishes a TCP handshake with a site,this process barely takes a few seconds


    Some cellular technologies:

    FDMA:FDMA or Frequency Division Multiple Access is an old out of date system which sends analog signals to transmit information.It was obviated as analog signals could be easily tapped into and they required more power.Each call made had to be made on a different frequency.

    TDMA(Time Division Multiple Access):This technology is being largely used in the world atm.Basically,your voice is encoded,digitised and then put on a time slot for a particular frequency.Each frequency can be divided into 6 time slots,thereby allowing a greater amount of simultaneous transmissions on a particular wave.IS-54 and IS-136 are standards for TDMA American Digital Cellular.They use an algorithm called CAVE(Cellular Authentication, Voice Privacy and Encryption) for authentication and CMEA(Cellular Message Encryption Algorithm) for encryption.(
    CAVE and CMEA are documented in Common Cryptographic Algorithms and Interface Specification for Common Cryptographic Algorithms.

    David Wagner, Bruce Schneier and John Kelsey published Cryptanalysis of the Cellular Message Encryption Algorithm, which documents deep flaws in the CMEA algorithm.(http://www.schneier.com/paper-cmea.pdf)

    CDMA(Code Division Multiple Access):This again is a digital system in which your voice is encoded,digitised and divided into packets.These packets are then tagged with 'codes'.The packets're then sent over the system and the recieving system only accepts packets with codes destined for it.The CDMA system has a better voice quality than any other system.The only downfall is..it's pretty expensive.

    GSM(Global System for Mobile communication):This is a variation of the TDMA system.It digitises data,compresses it and sends it down a channel,each in its own fixed time slot.The GSM system is probably the most popular one in the world atm.

    GPRS(General Packet Radio Service):This is a new NON-VOICE system that is used to send and recieve information.It incorporates several new features and has the advantage of speed among other things.The GPRS facility can also be used to access the Internet throwing open a whole new world of information which naturally come with security concerns

    Bluetooth:Bluetooth is a wireless radio communication system that was originally develpoed by Ericsson.It enables devices to communicate with each other over a range of 10 metres without any wires.One of the main functions of Bluetooth is to provide a handsfree communictaion system between cellular phones.


    Some security probs in the system:


    Tumbling:This method takes advantage of a weakness in the authentication procedure.The phone number or the ESN(Electronic Signal Number) are changed after every call.By utilising a different set of ESN/MIN pairs(MIN is your mobile number),you can call without being charged.However,due to faster databases and agreements between different operators,tumbling incidents are very rare.


    Cloning:Apart from the ESN,the mobile number of an actual subscriber is picked up and programmed into the phone.The provider is forced to think that the call is being made by the professed subscriber.This process involves replacing the EPROM(Electrically Programmable ROM) by a chip which would allow you to change your ESN/MIN pair every time you turned on your cell.Again,this method is dying out due to the increasing complexities of newer phones.


    Bluejacking:Bluejacking involves sending anonymous text messages to other Bluetooth enabled phones within 10 metres of your vicinity.It isnt exactly a malicious problem but it's rather fun to see the expression on someone's face when he gets a message out of nowhere

    BlueSnarfing:This is yet another Bluetooth vulnerability.It allows a hacker/phreaker to download all the information on your phone like phone books etc etc.And since most phones just have an option saying Bluetooth ON/OFF rather than specific configuration options,there's no way you're not at risk from bluesnarfing if you've got Bluetooth enabled.


    Conclusion:
    I havent been able to explain everything in detail as I've tried to keep this as small as possible.If anyone'd like a better explaination please post or search on google
    Cheers

  2. #2
    well well this has been a great help i have been thinking about for quite some time and well it is just great help but can u give some more infomation on cloning does it work now a days and u said to replace EPROM with a chip well i would just love some more help i think u worked really hard on this topic thanks anyway.

  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Not bad

    Conclusion:
    I havent been able to explain everything in detail as I've tried to keep this as small as possible.If anyone'd like a better explaination please post or search on google
    Is there anything that you believe you left out? If you think so, you can still add that infromation to it. For future reference, write the tut on wordpad or word, then copy/paste the finished product over. Also include references, if you received the information from somewhere. Other than that, its not bad at all.....there just isn't that much you could talk about the cell phone technology.

  4. #4
    Senior Member z31200n3's Avatar
    Join Date
    Jan 2004
    Location
    Bellevegas
    Posts
    102
    I enjoyed reading this very much! Great job :-)

  5. #5
    good but should have also mentioned more about cell phone towers and microwaves

  6. #6
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    I would've yourdeadin,but frequencies change with systems,countries and providers..and I wasnt too sure if it'd be too 'electronic',the site being predominantly computer oriented and all
    Thanks for the feedback though

  7. #7
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    One thing that I think should be brought up in this, is with a company called "Air Voice Wireless". The voice mail they offer you is activated after your phone is activated, by calling the cell phone from a land line (Home phone) and pressing # on the number pad.

    This may seem pointless, but if someone can get your cell phone number, they can easily get your voice mail, or completly take it over. All they have to do is beat you to a phone to dial your number into and press the # key, which will allow them to change the password for the voicemail, listen to, and even set the voice message.

    Example:

    You get a Cell phone with them, and leave the store, a customer who was in the store hears your cell phone number, leaves, and goes home. They then dial your cell phone number, and hit "#" and now have complete control of your voice mail. They can also call the cell phone number after changing the password, and say they are from Air Voice Wireless, and that, as a security meassure, your password has been changed to whatever it was they changed it to. How many customers do you think would think twice about this?

    STI Mobile is another company. They have a passcode, and when you buy a phone with them, if anyone else is in the store, they can listen in on what you chose, and why. I guess what I am getting at is, when you buy a cell phone, don't do it around many people.

    Things like this make Social Engineering EASY. Most people pick a Birthday as the passcode, and then you can use that to impersonate Credit Card people, and anything you want.

    Someone may already know about this, but I for one discovered how to do this when I was reading over how the voice mail features work on the Air Voice Wireless system.

    OK fine I'll take credit for figuring it out

  8. #8
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    therenegade,

    Nice job, that is very informative. I would clean up the spelling a little, add a space after periods, between sentences, and beef up the conclusion with a short summary of what you have said. Then cut and paste it back in.

    cheers
    Connection refused, try again later.

  9. #9
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    The Air Voice mail system seems to scream"Come and get me" lol.I havent heard of a system so lax in years.The bit about STI gore..it gets to be a whole lot more secure as companies now block your SIM after three attempts at anything,be it voicemail,recharging an account or trying to access a PIN2 locked phone.
    Relyt,will do,thanks

  10. #10
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    That is easily gotten around. Call the company, say you're a dealer, and give them a 4 digit dealer number, and you're ready to go again. Got to love cellular security

    My 1900th post...Ah well, at least it's being used to show people how to still screw the phone company

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •